Blocking DDoS Archive

Are you using Hadoop for data analytics? If so, know that a new bot is targeting Hadoop clusters with the intention of performing DDoS attacks powered by the strength of cloud infrastructure servers. Hadoop is an open source distributed processing framework that manages storage and data processing for big data applications running in clustered systems.

Radware Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.

DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.

It is not the first time that cloud infrastructure servers have been targeted. Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices. The DDoS attack vectors supported by DemonBot are UDP and TCP floods.

Hadoop YARN Exploits

Radware Research has been tracking malicious actors exploiting a Hadoop YARN unauthenticated remote command execution for which proof of concept code was first published here in March of this year. YARN, Yet Another Resource Negotiator, is a prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. YARN exposes a REST API which allows remote applications to submit new applications to the cluster. The exploit requires two steps:

  • Request an application-id using POST to URI http://x.x.x.x:8088/ws/v1/cluster/apps/new-application
  • Use the ‘application-id’ from the response in step 1 and submit a new task to the cluster manager using the POST method to URI http://x.x.x.x:8088/ws/v1/cluster/apps and with the body containing the following JSON encoded data structure:

Our deception network recorded repeated attempts for /ws/v1/cluster/apps/new-application, slowly starting end of September and growing to over 1 million attempts per day for most of October.

The number of unique IPs from where the requests originated grew from a few servers to over 70 servers this week.

Older exploits from servers that are offline by now were referencing a well-known Mirai variant Owari, infamous because of the weak password used by the hackers for securing their command and control database:

More recently, however, we found Owari to be replaced by a new bot:

This new ‘bash’ binary was added to the server on Sunday Oct 21st. The same server also hosts the typical shell script we came to expect from multiplatform IoT malwares:

While the botnet comes with all the typical indicators of Yet-Another-Mirai-Botnet, a closer look at the binaries revealed to be different enough to continue the investigation.

DemonBot v1 – © Self-Rep-NeTiS

The reversing of the unstripped ‘bash’ binary revealed some unfamiliar function names and an atypical string which provided a unique fingerprint for the botnet code:

Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’. Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.

Both DemonBot.c and DemonCNC.c had an identical signature:

DemonCNC

The DemonBot Command and Control service is a self-contained C program that is supposed to run on a central command and control server and it provides two services:

  • A bot command and control listener service – allowing bots to register and listen for new commands form the C2
  • A remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet

Starting the C2 service requires 3 arguments: a bot listener port, the number of threads and a port for the remote access CLI.

Credentials for remote users are stored in a plain text file ‘login.txt’ in the format “username password” using one line per credential pair.

Upon connecting to the remote access CLI (port 8025 in our demo setup) using telnet, the botnet greets us and asks for a username followed by a password prompt. If the provided credentials match one of the lines in the login.txt file, the user is given access to the bot control interface.

The HELP command reveals the botnet commands which will be discussed below in the section about DemonBot itself.

DemonBot

DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands.

When a new DemonBot is started, it connects to the C2 server which is hardcoded with IP and port. If no port was specified for the C2 server the default port 6982 is used. The C2 connection is plain text TCP.

Once successfully connected, DemonBot sends information about the infected device to the C2 server in the format:

Bot_ip

The public IP address of the device or server infected with DemonBot:

Port

Either 22 or 23 depending on the availability of python or perl and telnetd on the device/server:

Build

“Python Device”, “Perl Device”, “Telnet Device” or “Unknown” depending on the availability of a Python or Perl interpreter on the device server:

Arch

The architecture, determined at build time and depending on the executing binary on the compromised platform – supported values for Arch are: x86_64 | x86_32 | Arm4 | Arm5 | Arm6 | Arm7 | Mips | Mipsel | Sh4 (SuperH) | Ppc (PowerPC) | spc (Sparc) | M68k | Arc

OS

Limited identification of the host OS running the bot based on package installer configuration files. Value is either “Debian Based Device”, “REHL Based Device” or “Unknown OS”

Malicious payloads

The bot supports the following commands:

If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP.

The <spoofit> argument works as a netmask. If spoofit is set to 32, there is no spoofing of the bot’s source IP. If spoofit is set to a number less than 32, a random IP is generated within the bot_ip/<spoofit> network every <pollinterval> packets:

Fixed payload used by the STD UDP attack:

IOC

8805830c7d28707123f96cf458c1aa41  wget
1bd637c0444328563c995d6497e2d5be  tftp
a89f377fcb66b88166987ae1ab82ca61  sshd
8b0b5a6ee30def363712e32b0878a7cb  sh
86741291adc03a7d6ff3413617db73f5  pftp
3e6d58bd8f10a6320185743d6d010c4f  openssh
fc4a4608009cc24a757824ff56fd8b91  ntpd
d80d081c40be94937a164c791b660b1f  ftp
b878de32a9142c19f1fface9a8d588fb  cron
46a255e78d6bd3e97456b98aa4ea0228  bash
53f6451a939f9f744ab689168cc1e21a  apache2
41edaeb0b52c5c7c835c4196d5fd7123  [cpu]

Source:https://securityboulevard.com/2018/10/new-demonbot-discovered/

Large companies are hit by cyberattacks at an above average rate, according to the Cybersecurity Monitor of Dutch statistics bureau CBS for 2018. Among companies of 250+ employees, 39 percent were hit at least once by a cyberattack in 2016, such as a hack or DDoS attack. By contrast, around 9 percent of small companies (2-10 employees) were confronted with such an ICT incident.

Of the larger companies, 23 percent suffered from failure of business processes due to the outside cyberattacks. This compares to 6 percent for the smaller companies. Of all ICT incidents, failures were most common, for all sizes, though again, the larger companies were more affected (55%) than the smaller ones (21%). The incidents led to costs for both groups of companies.

Chance of incident bigger at large company

CBS noted that ICT incidents can arise from both from an outside attack and from an internal cause, such as incorrectly installed software or hardware or from the unintentional disclosure of data by an employee. The fact that larger companies suffer more from ICT incidents can be related to the fact that more people work with computers; this increases the chance of incidents. In addition, larger companies often have a more complex ICT infrastructure, which can cause more problems.

The number of ICT incidents also varies per industry. For example, small businesses in the ICT sector (12%) and industry (10%) often suffer from ICT incidents due to external attacks. Small companies in the hospitality sector (6%) and health and welfare care (5%) were less often confronted with cyberattacks.

Internal cause more common at smaller companies

Compared to larger companies, ICT incidents at small companies more often have an internal cause: 2 out 3, compared to 2 out of 5 for larger companies. ICT incidents at small companies in health and welfare care most often had an internal cause (84%). In the ICT sector, this share was 60 percent.

About 7 percent of companies with an ICT incident report them to one or more authorities, including police, the Dutch Data Protection Authority AP, a security team or their bank. The largest companies report ICT incidents much more often (41%) than the smallest companies (6%). Large companies report these ICT incidents most frequently to the AP, complying with law. After that, most reports are made to the police. The smallest companies report incidents most often to their bank.

Smaller: less safe

Small businesses are less often confronted with ICT incidents and, in comparison with large companies, take fewer security measures. Around 60 percent of small companies take three or more measures. This goes to 98 percent for larger companies.

Source: https://www.telecompaper.com/news/over-third-39-of-large-dutch-firms-hit-by-cyberattack-in-2016-cbs–1265851

As the old saying goes, “darkness falls across the land, the midnight hour is close at hand.” Halloween is upon the scene and frightening things are unforeseen. Imagine watching a chilling movie depicting a zombie apocalypse or a deadly virus spreading fast across a metropolis, infecting everything in its wake. Sounds like a monstrous scenario? Sounds analogous to a cyber-attack?

You could be onto something. Strap yourself in. It’s going to be a bumpy ride.

According to recent F5 Labs threat analysis, the top application breaches haunting companies right now with rapidly mutating sophistication include payment card theft via web injection (70%), website hacking (26%), and app database hacking (4%).

Frighteningly, further analysis shows that 13% of all web application breaches in 2017 and Q1 2018 were access related. This bloodcurdling discovery can be dissected as follows: credentials stolen via compromised email (34.29%), access control misconfiguration (22.86%); credential stuffing from stolen passwords (8.57%), brute force attacks to crack passwords (5.71%), and social engineering theft (2.76). The eerie evidence also shows that applications and identities are the initial targets in 86% of breaches.

Businesses worldwide now face a sense of creeping dread and imminent disruption. Nowadays, they are more prone than ever to terrors such as malware hijacking browsers to sniff or intercept application authentication credentials. Then there are the strains of malware that target financial logins to menace both browser and mobile clients.

There’s no way around it. Getting your cybersecurity posture right is the only way to stay safe. Get it wrong, however, and you’ll get the fright of your life in the shape of EU’s General Data Protection Regulation (GDPR) enforcement. There is definitively nowhere to hide this Halloween if you’re breached or fall short of tightening compliance expectations.

Yet, if scary movies have taught us anything about horror stories, it is to never to scream and run away. As this ghoulish season can overshadow any organisation, it’s imperative that preventative measures are in place to protect vital assets. Yes, the findings from F5 Labs may paint a bleak picture but there are plenty of preventative measures you can take to improve your security posture and safeguard your employees’ applications and sensitive data: 

  • Understand your threat environment and prioritise defences against grave risk concerns. Know which applications are important and minimise your attack surface. Remember, an app’s surface is broadening all the time, encompassing multiple tiers and the ever-increasing use of application programming interfaces (APIs) to share data with third parties.
  • Use data to drive your risk strategy and identify what attackers would typically target. Beware that any part of an application service visible on the Internet will be probed by fiendish hackers for possible exploitation.
  • Configure your network systems properly or suffer the consequences of applications leaking internal and infrastructure information, including server names, private network addresses, email addresses, and even usernames. This is all valuable ammunition for a horrible hacker to carry out an attack.
  • Be aware of common threats including DDoS attacks, ransomware, malware, phishing, and botnets. Ensure your IT response strategies are built to adapt and update in line with new vulnerabilities and threats will invariably improve survival rates.
  • Implement a strong set of easily manageable and powerful security solutions such as an advanced web application firewall (AWAF). This type of technology is extremely scalable and can protect against the latest wave of attacks using behavioural analytics, proactive bot defence, and application-layer encryption of sensitive data like personal credentials.
  • Ensure the company enforces a proactive culture of security and educates employees on policy, device management, as well as safe internet and cloud usage.
  • When travelling on business, ensure staff never conduct financial transactions requiring a debit or credit card when using public or free Wi-Fi services. Never assume mobiles and laptop devices are safe, even at the local coffee bar.
  • Change your passwords regularly (i.e. every month). This is especially important after travel. Devices may have been compromised during transit.
  • Always perform regular data backups on approved devices and/or secure cloud platforms to ensure sensitive information is not lost or stolen and can be quickly recovered in the event of an attack.
  • Remember, careless employees who feel they are unaccountable for the loss of work devices can damage business reputations.

 The grim reality

Remember this is the time of year when “creatures crawl in search of blood to terrorize the neighbourhood”. Whether you’re expecting a trick or treat this Halloween, neglecting cybersecurity is certain to have ghastly consequences.

The business world is littered with victims of cybercrime, so don’t get consigned to the grievous graveyard of cyber fraud. Know what makes your apps vulnerable and how they can be attacked. Makes sure you put the right solutions in place to lower your risk. Now is the time to stop being haunted by cybercriminals draining the lifeblood out of your business.

Source: https://www.informationsecuritybuzz.com/articles/the-haunting-horror-story-of-cybercrime/

Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere.

Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues. From products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the breadth of cybercrime offerings has never been greater. The result: more, and more serious, forms of cybercrime. New tools and platforms are more accessible than ever before to those who lack advanced technical skills, enabling scores of new actors to hop aboard the cybercrime bandwagon. Meanwhile, more experienced criminals can develop more specialized skills in the knowledge that they can locate others on the darknet who can complement their services and work together with them to come up with new and better criminal tools and techniques.

Line Between Illicit and Legitimate E-Commerce Is Blurring
The cybercrime ecosystem has evolved to welcome both new actors and new scrutiny. The threat of prosecution has pushed most cybercrime activities onto the darknet, where the anonymity of Tor and Bitcoin protects the bad guys from being easily identified. Trust is rare in these communities, so some markets are implementing escrow payments to make high-risk transactions easier; some sellers even offer support services and money-back guarantees on their work and products.

The markets have also become fractured, as the pro criminals restrict themselves to highly selective discussion boards to limit the threat from police and fraudsters. Nevertheless, a burgeoning cybercrime market has sprung from these hidden places to offer everything from product development to technical support, distribution, quality assurance, and even help desks.

Many cybercriminals rely on the Tor network to stay hidden. Tor — The Onion Router — allows users to cruise the Internet anonymously by encrypting their activities and then routing it through multiple random relays on its way to its destination. This circuitous process renders it nearly impossible for law enforcement to track users or determine the identities of visitors to certain black-market sites.

From Niche to Mass Market
In 2015, the UK National Cyber Crime Unit’s deputy director stated during a panel discussion that investigators believed that the bulk of the cybercrime-as-a-service economy was based on the efforts of only 100 to 200 people who profit handsomely from their involvement. Carbon Black’s research discovered that the darknet’s marketplace for ransomware is growing at a staggering 2,500% per annum, and that some of the criminals can generate over $100,000 a year selling ransomware kits alone. That’s more than twice the annual salary of a software developer in Eastern Europe, where many of these criminals operate.

There are plenty of ways for a cybercriminal to rake in the cash without ever perpetrating “traditional” cybercrime like financial fraud or identity theft. The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities.

Zero-Day Exploits, Ransomware, and DDoS Extortion Are Bestsellers
The number of discovered zero-day exploits — weaknesses in code that had been previously undetected by the product’s vendor — has dropped steadily since 2014, according to Symantec’s 2018 Internet Security Threat Report, thanks in part to an increase in “bug bounty” programs that encourage and incentivize the legal disclosure of vulnerabilities. In turn, this has led to an increase in price for the vulnerabilities that do get discovered, with some of the most valuable being sold for more than $100,000 in one of the many darknet marketplaces catering to exploit sales, as highlighted in related a blog post on TechRepublic. Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each.

Exploit kits are another popular product on the darknet. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. However, Europol suggests that the popularity of exploit kits has fallen over the past 12 months as the top products have been eliminated and their replacements have failed to offer a comparable sophistication or popularity. Europol also notes that theft through malware was generally becoming less of a threat; instead, today’s cybercriminals prefer ransomware and distributed denial-of-service (DDoS) extortion, which are easier to monetize.

Cybercrime Infrastructure-as-a-Service
The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example.

Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations. The numbers for hackers who control the botnets are also big: the bad guys can produce significant profit margins when they rent their services out to other criminals, as highlighted in a related post.

The New Reality
Digital services are often the backbone of small and large organizations alike. Whether it’s a small online shop or a behemoth operating a global digital platform, if services are slow or down for hours, the company’s revenue and reputation may be on the line. In the old days, word of mouth circulated slowly, but today bad news can reach millions of people instantly. Using botnets for DDoS attacks is a moneymaker for cybercriminals who extort money from website proprietors by threatening an attack that would destroy their services.

The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen. Botnet use will probably expand in the coming years as cybercriminals continue to exploit vulnerabilities in IoT devices to create even larger networks. Get used to it: Cybercrime is here to stay.

Source: https://www.darkreading.com/endpoint/cybercrime-as-a-service-no-end-in-sight/a/d-id/1333033

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.

In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings.

Security experts soon discovered that a majority of Mirai-infected devices were chiefly composed of components made by Xiongmai (a.k.a. Hangzhou Xiongmai Technology Co., Ltd.) and a handful of other Chinese tech firms that seemed to have a history of placing product market share and price above security.

Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors.

On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware.

SEC Consult said it began the process of working with Xiongmai on these problems back in March 2018, but that it finally published its research after it became clear that Xiongmai wasn’t going to address any of the problems.

“Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.”

PROBLEM TO PROBLEM

A core part of the problem is the peer-to-peer (P2P) communications component called “XMEye” that ships with all Xiongmai devices and automatically connects them to a cloud network run by Xiongmai. The P2P feature is designed so that consumers can access their DVRs or security cameras remotely anywhere in the world and without having to configure anything.

To access a Xiongmai device via the P2P network, one must know the Unique ID (UID) assigned to each device. The UID is essentially derived in an easily reproducible way using the device’s built-in MAC address (a string of numbers and letters, such as 68ab8124db83c8db).

Electronics firms are assigned ranges of MAC address that they may use, but SEC Consult discovered that Xiongmai for some reason actually uses MAC address ranges assigned to a number of other companies, including tech giant Cisco Systems, German printing press maker Koenig & Bauer AG, and Swiss chemical analysis firm Metrohm AG.

SEC Consult learned that it was trivial to find Xiongmai devices simply by computing all possible ranges of UIDs for each range of MAC addresses, and then scanning Xiongmai’s public cloud for XMEye-enabled devices. Based on scanning just two percent of the available ranges, SEC Consult conservatively estimates there are around 9 million Xiongmai P2P devices online.

[For the record, KrebsOnSecurity has long advised buyers of IoT devices to avoid those advertise P2P capabilities for just this reason. The Xiongmai debacle is yet another example of why this remains solid advice].

BLANK TO BANK

While one still needs to provide a username and password to remotely access XMEye devices via this method, SEC Consult notes that the default password of the all-powerful administrative user (username “admin”) is blank (i.e, no password).

The admin account can be used to do anything to the device, such as changing its settings or uploading software — including malware like Mirai. And because users are not required to set a secure password in the initial setup phase, it is likely that a large number of devices are accessible via these default credentials.

Even if a customer has changed the default admin password, SEC Consult discovered there is an undocumented user with the name “default,” whose password is “tluafed” (default in reverse). While this user account can’t change system settings, it is still able to view any video streams.

Normally, hardware devices are secured against unauthorized software updates by requiring that any new software pushed to the devices be digitally signed with a secret cryptographic key that is held only by the hardware or software maker. However, XMEye-enabled devices have no such protections.

In fact, the researchers found it was trivial to set up a system that mimics the XMEye cloud and push malicious firmware updates to any device. Worse still, unlike with the Mirai malware — which gets permanently wiped from memory when an infected device powers off or is rebooted — the update method devised by SEC Consult makes it so that any software uploaded survives a reboot.

CAN XIONGMAI REALLY BE THAT BAD?

In the wake of the Mirai botnet’s emergence in 2016 and the subsequent record denial-of-service attacks that brought down chunks of the Internet at a time (including this Web site and my DDoS protection provider at times), multiple security firms said Xiongmai’s insecure products were a huge contributor to the problem.

Among the company’s strongest critics was New York City-based security firm Flashpoint, which pointed out that even basic security features built into Xiongmai’s hardware had completely failed at basic tasks.

For example, Flashpoint’s analysts discovered that the login page for a camera or DVR running Xiongmai hardware and software could be bypassed just by navigating to a page called “DVR.htm” prior to login.

Flashpoint’s researchers also found that any changes to passwords for various user accounts accessible via the Web administration page for Xiongmai products did nothing to change passwords for accounts that were hard-coded into these devices and accessible only via more obscure, command-line communications interfaces like Telnet and SSH.

Not long after Xiongmai was publicly shamed for failing to fix obvious security weaknesses that helped contribute to the spread of Mirai and related IoT botnets, Xiongmai lashed out at multiple security firms and journalists, promising to sue its critics for defamation (it never followed through on that threat, as far as I can tell).

At the same time, Xiongmai promised that it would be issuing a product recall on millions of devices to ensure they were not deployed with insecure settings and software. But according to Flashpoint’s Zach Wikholm, Xiongmai never followed through with the recall, either. Rather, it was all a way for the company to save face publicly and with its business partners.

“This company said they were going to do a product recall, but it looks like they never got around to it,” Wikholm said. “They were just trying to cover up and keep moving.”

Wikholm said Flashpoint discovered a number of additional glaring vulnerabilities in Xiongmai’s hardware and software that left them wide open to takeover by malicious hackers, and that several of those weaknesses still exist in the company’s core product line.

“We could have kept releasing our findings, but it just got really difficult to keep doing that because Xiongmai wouldn’t fix them and it would only make it easier for people to compromise these devices,” Wikholm said.

The Flashpoint analyst said he believes SEC Consult’s estimates of the number of vulnerable Xiongmai devices to be extremely conservative.

“Nine million devices sounds quite low because these guys hold 25 percent of the world’s DVR market,” to say nothing of the company’s share in the market for cheapo IP cameras, Wikholm said.

What’s more, he said, Xiongmai has turned a deaf ear to reports about dangerous security holes across its product lines principally because it doesn’t answer directly to customers who purchase the gear.

“The only reason they’ve maintained this level of [not caring] is they’ve been in this market for a long time and established very strong regional sales channels to dozens of third-party companies,” that ultimately rebrand Xiongmai’s products as their own, he said.

Also, the typical consumer of cheap electronics powered by Xiongmai’s kit don’t really care how easily these devices can be commandeered by cybercriminals, Wikholm observed.

“They just want a security system around their house or business that doesn’t cost an arm and leg, and Xiongmai is by far the biggest player in that space,” he said. “Most companies at least have some sort of incentive to make things better when faced with public pressure. But they don’t seem to have that drive.”

A PHANTOM MENACE

SEC Consult concluded its technical advisory about the security flaws by saying Xiongmai “does not provide any mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals.”

While this may sound easy enough, acting on that advice is difficult in practice because very few devices made with Xiongmai’s deeply flawed hardware and software advertise that fact on the label or product name. Rather, the components that Xiongmai makes are sold downstream to vendors who then use it in their own products and slap on a label with their own brand name.

How many vendors? It’s difficult to say for sure, but a search on the term XMEye via the e-commerce sites where Xiongmai’s white-labeled products typically are sold (Amazon, Aliexpress.com, Homedepot.com and Walmart) reveals more than 100 companies that you’ve probably never heard of which brand Xiongmai’s hardware and software as their own.  That list is available here (PDF) and is also pasted at the conclusion of this post for the benefit of search engines.

SEC Consult’s technical advisory about their findings lists a number of indicators that system and network administrators can use to quickly determine whether any of these vulnerable P2P Xiongmai devices happen to be on your network.

For end users concerned about this, one way of fingerprinting Xiongmai devices is to search Amazon.com, aliexpress.com, walmart.com and other online merchants for the brand on the side of your device and the term “XMEye.” If you get a hit, chances are excellent you’ve got a device built on Xiongmai’s technology.

Another option: open a browser and navigate to the local Internet address of your device. If you have one of these devices on your local network, the login page should look like the one below:

Another giveaway on virtually all Xiongmai devices is pasting “http://IP/err.htm” into a browser address bar should display the following error message (where IP= the local IP address of the device):

According to SEC Consult, Xiongmai’s electronics and hardware make up the guts of IP cameras and DVRs marketed and sold under the company names below.

What’s most remarkable about many of the companies listed below is that about half of them don’t even have their own Web sites, and instead simply rely on direct-to-consumer product listings at Amazon.com or other e-commerce outlets. Among those that do sell Xiongmai’s products directly via the Web, very few of them seem to even offer secure (https://) Web sites.

SEC Consult’s blog post about their findings has more technical details, as does the security advisory they released today.

In response to questions about the SEC Consult reports, Xiongmai said it is now using a new encryption method to generate the UID for its XMEye devices, and will not longer be relying on MAC addresses.

Xiongmai also said users will be asked to change a devices default username and password when they use the XMEye Internet Explorer plugin or mobile app. The company also said it had removed the “default” account in firmware versions after August 2018. It also disputed SEC Consult’s claims that it doesn’t encrypt traffic handled by the devices.

In response to criticism that any settings changed by the user in the Web interface will not affect user accounts that are only accessible via telnet, Xiongmai said it was getting ready to delete telnet completely from its devices “soon.”

KrebsOnSecurity is unable to validate the veracity of Xiongmai’s claims, but it should be noted that this company has made a number of such claims and promises in the past that never materialized.

Johannes Greil, head of SEC Consult Vulnerability Lab, said as far as he could tell none of the proclaimed fixes have materialized.

“We are looking forward for Xiongmai to fix the vulnerabilities for new devices as well as all devices in the field,” Greil said.

Here’s the current list of companies that white label Xiongmai’s insecure products, according to SEC Consult:

9Trading
Abowone
AHWVSE
ANRAN
ASECAM
Autoeye
AZISHN
A-ZONE
BESDER/BESDERSEC
BESSKY
Bestmo
BFMore
BOAVISION
BULWARK
CANAVIS
CWH
DAGRO
datocctv
DEFEWAY
digoo
DiySecurityCameraWorld
DONPHIA
ENKLOV
ESAMACT
ESCAM
EVTEVISION
Fayele
FLOUREON
Funi
GADINAN
GARUNK
HAMROL
HAMROLTE
Highfly
Hiseeu
HISVISION
HMQC
IHOMEGUARD
ISSEUSEE
iTooner
JENNOV
Jooan
Jshida
JUESENWDM
JUFENG
JZTEK
KERUI
KKMOON
KONLEN
Kopda
Lenyes
LESHP
LEVCOECAM
LINGSEE
LOOSAFE
MIEBUL
MISECU
Nextrend
OEM
OLOEY
OUERTECH
QNTSQ
SACAM
SANNCE
SANSCO
SecTec
Shell film
Sifvision/sifsecurityvision
smar
SMTSEC
SSICON
SUNBA
Sunivision
Susikum
TECBOX
Techage
Techege
TianAnXun
TMEZON
TVPSii
Unique Vision
unitoptek
USAFEQLO
VOLDRELI
Westmile
Westshine
Wistino
Witrue
WNK Security Technology
WOFEA
WOSHIJIA
WUSONLUSAN
XIAO MA
XinAnX
xloongx
YiiSPO
YUCHENG
YUNSYE
zclever
zilnk
ZJUXIN
zmodo
ZRHUNTER

Source: https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/